Multiple user VLANs and Voice VLAN on one port

No_Traffic
Comes here often

Multiple user VLANs and Voice VLAN on one port

Environment:

MS225-48FP, DHCP handed out by our firewall.  Layer 2 switching only, 802.1x with RADIUS on a Windows domain controller.

 

Due to the limited number of ethernet ports in the wall, some areas of the office have a non-Cisco switch that passes VLAN tags and have multiple Mitel phones with people's computers tethered to Mitel.

 

We have 3 VLANs, let's call it:

 

VLAN 1 (native VLAN)

VLAN 2 (Voice VLAN)

VLAN 3 (IT Only VLAN) 

 

With our legacy Cisco sg500-52P switch, there was an option for "Multi-Session"  which allowed regular users who authenticated via 802.1x successfully to get onto VLAN 1 and for IT users who authenticated to be placed on VLAN 3. Phones are placed on tagged and placed on VLAN 2.

 

However, with the Meraki MS225-48FP I am unable to get this configured correctly via Access Policy.  If I select an access policy with Multi-Host or Multi-Auth users get placed on whoever authenticates first.  So if an IT user authenticates first, subsequent regular users get placed on the IT VLAN and vice versa.  Phones are tagged correctly and placed on the correct VLAN 2.

 

Is there a way to configure multiple devices, multiple VLANs, multiple users authenticating 802.1x on a single port?

3 REPLIES 3
NolanHerring
Kind of a big deal

Not sure if this helps but ran across this, never done any of this myself.

https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)
Nolan Herring | nolanwifi.com
TwitterLinkedIn

You can have

 

  • Multi-Domain and have one device placed into Voice domain and one device placed into Data domain or
  • Multi-Auth where more than one host is placed into the Data domain, but
  • the downside with using Multi-Auth is:

After a VLAN is assigned to a host on the port, subsequent hosts must have matching VLAN information or be denied access to the port. Only one client is supported on the voice VLAN. Guest VLANs are not supported in this mode.“

Source: https://documentation.meraki.com/MS/Access_Control/MS_Switch_Access_Policies_(802.1X)

 

Unfortunately, also using Multi Host won‘t work either:

“With multi-host, a single successful authentication will put the port into a forwarding state.  All subsequent authentication attempts are ignored.“

 

So in a nutshell: guess you‘re out of luck here.

"subsequent hosts must have matching VLAN information" it means the wired 802.1x info?

 

Try use the radius authorization rule to assign the vlan id for the 2nd data domain device.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels